How to hide credentials in logstash configuration files?

2018-03-27-logstash-keystore-blog

How to hide credentials in logstash configuration files?

logstash 6.2 let you protect credentials with the keystore.

Let’s see how to use logstash-keystore?

e.g. In the following, we will hide the ‘changeme’ password from the elasticsearch output of your logstash pipeline config file.

To create a logstash.keystorefile, open a terminal window and type the following commands

./bin/logstash-keystore create
./bin/logstash-keystore add es_password

ℹ️ the default directory is the same directory as the logstash.yml settings file.

./bin/logstash-keystore list should show you es_password as answser.

📌 The option -path.settings will set the directory for the keystore. (e.g. bin/logstash-keystore --path.settings /etc/logstash/.keystore create). The keystore must be located in Logstash’s path.settings directory.

📌 When you run Logstash from an RPM or DEB package installation, the environment variables are sourced from /etc/sysconfig/logstash. You might need to create /etc/sysconfig/logstash ; Please keep in mind that this file should be owned by root with 600 permissions.

# use es_password in the pipeline:
output {
	elasticsearch {
		hosts => …
		user => “elastic”
		password => “${es_password}”
	}
}

ℹ️ you can set the environment variable LOGSTASH_KEYSTORE_PASS to act as the keystore password.

Documentation

➡️ Official guide – logstash-keystore

To get help with the cli, simply use: $ ./bin/logstash-keystore help

Contact Us